That way we have the weekend to rush things last minute ;)
2015-03-13 07207, 2015
LordSputnik
Leftmost: yup, that's fine
2015-03-13 07227, 2015
LordSputnik
Ok, so, freeze then, and ask for testing in MB and MB-devel
2015-03-13 07253, 2015
LordSputnik
I'd also like to get control of the twitter account by then, so we can tweet and get MB to share it on release day
2015-03-13 07210, 2015
LordSputnik
Leftmost: anything else on this topic?
2015-03-13 07234, 2015
Leftmost
I'd say we should also have a segment of the meeting on the 27th (if we continue our current schedule) be a quick go/no-go. I don't anticipate us needing a no-go, but it'd be good if we could just take a minute and make sure we're where we want to be.
2015-03-13 07259, 2015
LordSputnik
Ok, that also sounds good
2015-03-13 07229, 2015
Leftmost
Alright. I think that's all I wanted to say on that matter.
2015-03-13 07206, 2015
LordSputnik
Ok, Leo_Verto, anything to add, or should we move to "guiding principles", which sounds very zen-like :P
2015-03-13 07248, 2015
Leo_Verto
well, I currently don't have much time, but trivial stuff like adding forms when the server-side JS is already in place should be no problem
2015-03-13 07231, 2015
Leo_Verto
about that zen stuff, is our website feng shui compliant? :P
2015-03-13 07244, 2015
Leftmost
Guiding principles: I'd like to see us think seriously about what the basic tenets of BB development will be. Software dev always comes with compromises, and I think it would be good to have guidelines which suggest what we should do when two needs come into conflict.
What I was thinking is that we all come up with some ideas about that, put them somewhere wiki-esque, and discuss at some point. It's not urgent, but probably useful in the long run.
2015-03-13 07245, 2015
Leftmost
LordSputnik, kinda like that, yeah.
2015-03-13 07246, 2015
LordSputnik
Ok, we can have a quick brainstorm after the schema discussion at the end
2015-03-13 07258, 2015
LordSputnik
in addition to mailing list talk
2015-03-13 07216, 2015
Leftmost
That's it from me on that topic. I just wanted to get that out there, really.
2015-03-13 07232, 2015
LordSputnik
I think that sort of thing is definitely important, and could also incorporate overall aims/principles of the project as a whole
This is one thing that I think we Must Have before we start collecting data.
2015-03-13 07243, 2015
Freso
+1
2015-03-13 07210, 2015
Leo_Verto
so, probably something creative commons?
2015-03-13 07219, 2015
Freso
I would ask ruaok about his input on this, but keeping it the same as for MB seems sane.
2015-03-13 07228, 2015
LordSputnik
well, at the moment, we have this: "To acknowledge this vital input, we make our data freely available to everyone, for any use." bookbrainz.org/about
2015-03-13 07234, 2015
Leftmost
I took a quick look at MB's exact policy here and I see no issue with just stealing wholesale from them. (CC0 for core data, CC-something-else for stuff that's more BB-specific.)
2015-03-13 07235, 2015
Freso
CC0.
2015-03-13 07243, 2015
Leo_Verto
The way CB does it is that a submitter can choose between CC-BY and CC-BY-NC
2015-03-13 07245, 2015
LordSputnik
so we'll need to make sure whatever we choose and that phrase go together :P
2015-03-13 07203, 2015
Leo_Verto
though CB is a special case
2015-03-13 07204, 2015
Freso
That phrase goes well with CC0.
2015-03-13 07210, 2015
LordSputnik
I don't know my CC* stuff, what's the difference between those two?
2015-03-13 07213, 2015
Freso
Leo_Verto: This isn't CB.
2015-03-13 07217, 2015
Leo_Verto
yeah
2015-03-13 07218, 2015
Leftmost
CC0 is essentially public domain.
2015-03-13 07222, 2015
Freso
-NC is non-commercial.
2015-03-13 07226, 2015
Leftmost
CC-BY is attribution.
2015-03-13 07229, 2015
Freso
(-BY is attribution.)
2015-03-13 07246, 2015
Leo_Verto
so, explicit CC0?
2015-03-13 07259, 2015
LordSputnik
Why isn't all of MB CC0?
2015-03-13 07201, 2015
Leftmost
I tend to prefer copyleft, but I think CC0 has a lot of benefit for a project like ours.
2015-03-13 07207, 2015
Freso
Keep in mind that BB will be storing facts, which in itself is public domain.
2015-03-13 07226, 2015
Freso
So what we have is a database, which can, in some jurisdictions, fall under copyright or not.
2015-03-13 07251, 2015
Leo_Verto
LordSputnik, CC-BY-SA would be copyleft
2015-03-13 07203, 2015
Freso
CC0 also maintains compatibility for data to move freely MB<->BB, if that's ever going to be needed/wanted.
2015-03-13 07232, 2015
Leftmost
LordSputnik, BY-SA-NC (which is attribution, share alike, non-commercial) applies to annotations, tags, ratings, edit history, and user data.
2015-03-13 07248, 2015
Leftmost
I think it's beneficial to maintain some control over user data at the very least.
2015-03-13 07254, 2015
Leo_Verto
mhm
2015-03-13 07222, 2015
LordSputnik
Ok, so, unless there's a good reason, perhaps we should follow MB
2015-03-13 07224, 2015
Leftmost
I think if we do a CC0/CC-BY-SA-NC split on the same lines as MB, we'll be doing pretty well.
2015-03-13 07225, 2015
Leo_Verto
user data should theoretically stay within the two parties
2015-03-13 07229, 2015
Freso
My vote is: mirror what mb.o does, but ask ruaok for advice before putting it in concrete.
2015-03-13 07236, 2015
Leftmost
Freso, solid plan.
2015-03-13 07247, 2015
Leo_Verto
is ruaok back yet?
2015-03-13 07247, 2015
Leftmost
+1 to what Freso said.
2015-03-13 07253, 2015
LordSputnik pins that to the next MB meeting agenda
2015-03-13 07258, 2015
Freso
Leo_Verto: No, but we're not in a rush.
2015-03-13 07220, 2015
Freso
It's a policy decision, so it can be altered from one minute to the next.
2015-03-13 07225, 2015
Freso
(Until April 1st anyway.)
2015-03-13 07228, 2015
Leo_Verto
yeah
2015-03-13 07248, 2015
Freso
Asking it in the Monday meeting seems sane.
2015-03-13 07259, 2015
LordSputnik
Leo_Verto: Well, with user data, we can be selective with what we release
2015-03-13 07211, 2015
Freso
Other people might also have considerations. kuno might, though he could just as well speak up here.
2015-03-13 07217, 2015
LordSputnik
eg. anything in the user/secrets endpoint isn't public
2015-03-13 07242, 2015
kepstin-laptop
best to keep password hashes out of the public db dumps ;)
2015-03-13 07243, 2015
Leo_Verto
yeah, we were mostly talking about user data available to anyone on the site
2015-03-13 07247, 2015
Freso
Leo_Verto: User data doesn't stay within mb.o. Plenty of people have the tags, public collections, ratings from MB.
2015-03-13 07202, 2015
Leo_Verto
which license does it use?
2015-03-13 07214, 2015
Leftmost
kepstin-laptop, of course. Plain-text only.
2015-03-13 07217, 2015
Freso
CC-BY-SA-NC
2015-03-13 07221, 2015
LordSputnik
Leftmost: haha
2015-03-13 07238, 2015
kepstin-laptop
yep, the only passwords that you are allowed to put in the database dumps are the plaintext ones.
2015-03-13 07246, 2015
kepstin-laptop
ok with me :)
2015-03-13 07250, 2015
LordSputnik
kepstin-laptop: didn't MB do something like that at one point?
2015-03-13 07252, 2015
Leo_Verto
Leftmost, because plaintext passwords are literally uncrackable
2015-03-13 07258, 2015
Leftmost
Leo_Verto, very true!
2015-03-13 07226, 2015
kepstin-laptop
LordSputnik: yeah, due to the change in password hash algorithm causing the passwords to be in a new column, which wasn't filtered out from the dumps
Where are we with this? Leftmost, do you have a certificate already, or do we need to get one somehow? We have a config sample, I think, so provided we have the certificate, it should be simple for someone at MB to set up?
2015-03-13 07207, 2015
Leo_Verto
set up self-signed certs in nginx before and got a big book on best deployment practices
2015-03-13 07211, 2015
Leftmost
LordSputnik, I don't have a cert, but generating one is trivial.
2015-03-13 07230, 2015
Leftmost
It's a handful of well-documented commands, so whenever we need one, I can certainly do that.
Leftmost: and will self-signing generate issues with warnings about untrusted certificates?
2015-03-13 07223, 2015
Leo_Verto
yes
2015-03-13 07224, 2015
Freso
Yes.
2015-03-13 07234, 2015
LordSputnik
So every visitor will see that?
2015-03-13 07239, 2015
Leo_Verto
that's why I'd suggest not enabling https by default
2015-03-13 07242, 2015
Leftmost
Every visitor who tries to sign in.
2015-03-13 07243, 2015
Freso
Well, if they haven't disabled it.
2015-03-13 07243, 2015
Leo_Verto
only for login
2015-03-13 07254, 2015
Freso
No, definitely require it for login.
2015-03-13 07255, 2015
Leo_Verto
only for now of course
2015-03-13 07203, 2015
LordSputnik
So, we're only having HTTPS for login, then?
2015-03-13 07212, 2015
LordSputnik
And user profile editing, hopefully
2015-03-13 07215, 2015
Freso
And post-login, hopefully.
2015-03-13 07223, 2015
Leo_Verto
well, we could leave it on after logging in
2015-03-13 07231, 2015
Freso
Once the cert. has been accepted, the message won't pop up again anyway.
2015-03-13 07238, 2015
Leo_Verto
but the random visitor would not get a scary warning
2015-03-13 07244, 2015
LordSputnik
Ok
2015-03-13 07253, 2015
Freso
But the login cookie/session data shouldn't be sent over plaintext either.
2015-03-13 07218, 2015
Leftmost
Whenever we decide we want a real cert, we can ping ruaok and talk about what we need for that.
2015-03-13 07236, 2015
LordSputnik
So, we need to a) generate certificate, b) adjust kuno's sample HTTPS config to suit our needs, c) make a ticket with the required info for MB to act on
2015-03-13 07247, 2015
Leftmost
LordSputnik, yarp.
2015-03-13 07206, 2015
LordSputnik
Is there an easy way to enable HTTPS for users for all site pages after logging in, but leaving it off beforehand?
2015-03-13 07206, 2015
Leftmost
We'll need to make some adjustments in the code as well, to ensure we send people to HTTPS when they need to be sent there.
LordSputnik, yes, just make the login link link to the https version
2015-03-13 07228, 2015
LordSputnik has left the channel
2015-03-13 07239, 2015
LordSputnik joined the channel
2015-03-13 07256, 2015
Freso
Instead of self-signed. A lot of people will still be getting warnings, but a few browsers do have the CAcert.org in their "accepted CAs" list.
2015-03-13 07257, 2015
Leo_Verto
we could insert a https redirect if logged in into the site header or something
2015-03-13 07237, 2015
Leo_Verto
oh nice, didn't know cacert was a thing :D
2015-03-13 07252, 2015
Freso is using CAcert for freso.dk
2015-03-13 07215, 2015
LordSputnik
So, this is something we need by April 1st, I think?
2015-03-13 07220, 2015
Freso
Yes.
2015-03-13 07221, 2015
Leftmost
Freso, leabharlann, ab ea? :)
2015-03-13 07229, 2015
Freso
"ab ea"?
2015-03-13 07242, 2015
Leftmost
Something like "is it".
2015-03-13 07245, 2015
Leo_Verto
startcom didn't even reissue certs for free after heartbleat...
2015-03-13 07255, 2015
Leftmost
Actually, I should say "an ea".
2015-03-13 07256, 2015
Freso
Ah. It is. :)
2015-03-13 07206, 2015
Leftmost
"ab ea" would be past tense or conditional.
2015-03-13 07216, 2015
Leo_Verto
id est.
2015-03-13 07224, 2015
Freso
Not sure if I'm going to keep that name when I "reboot" the site.
2015-03-13 07249, 2015
Freso
Anyway, that's a bit off-topic for right now. ;)
2015-03-13 07251, 2015
Leftmost
LordSputnik, I'd say so.
2015-03-13 07205, 2015
LordSputnik
Leftmost: Ok, I've added a ticket for the code changes
2015-03-13 07222, 2015
Leftmost
Okay.
2015-03-13 07207, 2015
LordSputnik
I know literally nothing about HTTPS, so Leftmost, could you deal with the certificate acquisition, and Leo_Verto, if you have time before the next meeting, could you take a look at kuno's config and modify it for us?
